All-Dynamics Software enlogic:show Digital Signage System 2.0.2 Session Fixation

Title: All-Dynamics Software enlogic:show Digital Signage System 2.0.2 Session Fixation
Advisory ID: ZSL-2020-5577
Type: Local/Remote
Impact: Security Bypass, Privilege Escalatio, Cross-Site Scripting
Risk: (3/5)
Release Date: 31.07.2020
Summary
Bring communication with your customers, guests or employees to a new level. You can design content individually and uncomplicated centrally and simply present it in different locations. Whether on large displays, steles, digital signs or on a projector, with enlogic:show your content will appear on the selected display in a calendar-controlled and precise manner.
Description
The initial visit from the welcome.php screen to the login page sets a random PHP session identifier in the URL using HTTP GET request. An attacker can forge the request sent to the victim setting a fixated PHP session that can be used to bypass authentication and execute further attacks via CSRF.
Vendor
All-Dynamics Software GmbH - https://www.all-dynamics.de
Affected Version
2.0.2 (Build 2098) ILP32W 0/1/3/1597919619
Tested On
enlogic:show server
Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012
Microsoft Windows 10
GNU/Linux
Apache
PHP
Vendor Status
[21.07.2020] Vulnerability discovered.
[24.07.2020] Vendor contacted.
[24.07.2020] Vendor creates Ticket#2020072410000011.
[27.07.2020] Vendor responds asking more details.
[27.07.2020] Sent details to the vendor.
[29.07.2020] Vendor confirms the issue scheduling new fixed version release.
[29.07.2020] Replied to the vendor.
[31.07.2020] Vendor releases version 2.0.3 (Build 2102) that addresses this issue.
[31.07.2020] Coordinated public security advisory release.
PoC
enlogic_fixation.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.enlogic-show.com/support/changelog/news/2_0_3.html
[2] https://packetstormsecurity.com/files/158703
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/186246
Changelog
[31.07.2020] - Initial release
[14.08.2020] - Added reference [2] and [3]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk